Meet Hidden Lynx: The most elite hacker crew you’ve never heard of

A hacking team with unusual skill and persistence has penetrated more than 100 organizations around the world, including US defense contractors, investment banks, and security companies whose sole purpose is to defend against such attacks, according to a detailed report.

One of the best known exploits of the so-called Hidden Lynx group was the devastating compromise of security firm Bit9 in 2012. The Waltham, Massachusetts, company provides an "application whitelisting" service that allows customers to run only a small set of approved software on their PCs and networks. By hacking into the company's servers and stealing the private cryptographic keys Bit9 used to digitally sign legitimate apps, the intruders were able to infect more valuable targets inside military contracting firms who used the service.

Until now, little has been known about the group responsible for the Bit9 attack. Now, a detailed report released by security firm Symantec reveals it was a highly organized gang of hackers that has breached some 100 companies and government organizations around the world since 2009. They're dubbed the Hidden Lynx gang, based on a text string found on one of the command and control (C&C) servers they use to communicate with infected machines inside the organizations they compromise.

"From the evidence seen, it's clear that Hidden Lynx belongs to a professional organization," the report stated. It continued:

They operate in a highly efficient manner. They can attack on multiple fronts. They use the latest techniques, have access to a diverse set of exploits, and have highly customized tools to compromise target networks. Their attacks, carried out with such precision on a regular basis over long periods of time, would require a well-resourced and sizeable organization. They possess expertise in many areas, with teams of highly skilled individuals who can adapt rapidly to the changing landscape. This team could easily consist of 50-100 individuals. This level of resources would be needed to build these Trojans, maintain infection and C&C infrastructure, and pursue confidential information on multiple networks. They are highly skilled and experienced campaigners in pursuit of information of value to both commercial and governmental organizations.

The Bit9 intrusion underscores the resourcefulness and persistence of the group. As thorough as that attack was, the hack was a mere detour taken on a longer path in a much more serious campaign. Dubbed VOHO, that campaign targeted US defense contractors. As it turned out, many of the VOHO targets used Bit9's application whitelisting service to prevent malware infections.

"When the Hidden Lynx attackers' progress was blocked by this obstacle, they reconsidered their options and found that the best way around the protection was to compromise the heart of the protection system itself and subvert it for their own purpose," Symantec analysts wrote in a separate Web post. "This is exactly what they did when they diverted their attention to Bit9 and breached their systems. Once breached, the attackers quickly found their way into the file signing infrastructure that was the foundation of the Bit9 protection model. They then used this system to sign a number of malware files and then these files were used in turn to compromise the true intended targets."

The report said the group is divided into two teams that use separate malware tools and sometimes work independently of each other. Team Moudoor, named for the trojan they use, takes a large-scale approach that broadly penetrates organizations in the financial industry, local and federal government organizations, and organizations related to healthcare, education, and law. Team Naid, by contrast, is more of a special operations squad that keeps a low profile so it can save its resources for the highest-profile targets in the defense industrial base.

The group pioneered so-called watering hole attacks, which infect a site with malware in the hopes of compromising the high-value targets known to frequent it. Members wield advanced, zero-day attacks that exploit security vulnerabilities in Oracle's Java, Microsoft's Internet Explorer, and other widely used software frameworks or applications. The report said their tactics and exploits are far more advanced than those of the Comment Crew, a China-affiliated hacking crew that researchers from security firm Mandiant said has siphoned terabytes of sensitive data from 141 organizations over the past seven years. Hidden Lynx also wielded one of the trojans that was used by the group that breached Google and at least 34 other companies in 2010.

"Given the breadth and number of targets and regions involved, we infer that this group is most likely a professional hacker-for-hire operation that is contracted by clients to provide information," Symantec researchers wrote. "They steal on demand, whatever their clients are interested in, hence the wide variety and range of targets."

42 Reader Comments

Yes, but are they more elite than Chet Uber? Also, someone should let these absolutely terrifying hacker crews know that the government has black helicopters/drones with missiles and does not like competition?

And where's Guccifer anyways? Guccifer is even more terrifying than Omar Little.

The Bit9 intrusion underscores the resourcefulness and persistence of the group. As thorough as that attack was, the hack was a mere detour taken on a longer path in a much more serious campaign. Dubbed VOHO, that campaign targeted US defense contractors. As it turned out, many of the of the VOHO targets used Bit9's application whitelisting service to prevent malware infections.

I don't understand this. What is it with IT and Enterprise services' infatuation with third party services that don't even do as good of a job of functionality that's already provided in an OS like Windows? AppLocker/Software Restriction Policies just have to be activated under Group Policy and in the case of AppLocker you can even require the whitelist to work only with a recognized hash of a currently installed executable (making an attack like this worthless as any small change in the program would result in a change in the hash), or be a bit more permissive and only allow signed applications.

That last bit may sound like the same kind of security flaw that befell Bit9, but application developers don't all sign the same applications. You could feasibly have it so only Google and Microsoft signed applications are allowed to run, or only Microsoft and Oracle signed applications - or any combination thereof from any developer that signs their executables.

It reminds me of the IT staff at my old school system that insist (to this very day - even after switching to Windows 7) to use Novell system log-in instead of the built-in Windows log-in services. It boggles the mind.

The Bit9 intrusion underscores the resourcefulness and persistence of the group. As thorough as that attack was, the hack was a mere detour taken on a longer path in a much more serious campaign. Dubbed VOHO, that campaign targeted US defense contractors. As it turned out, many of the of the VOHO targets used Bit9's application whitelisting service to prevent malware infections.

I don't understand this. What is it with IT and Enterprise services' infatuation with third party services that don't even do as good of a job of functionality that's already provided in an OS like Windows? AppLocker/Software Restriction Policies just have to be activated under Group Policy and in the case of AppLocker you can even require the whitelist to work only with a recognized hash of a current installed executable, or be a bit more permissive and only signed applications.

That last bit may sound like the same kind of security flaw that befell Bit9, but application developers don't all sign the same applications. You could feasibly have it so only Google and Microsoft signed applications are allowed to run, or only Microsoft and Oracle signed applications - or any combination thereof from any developer that signs their executables.

It reminds me of the IT staff at my old school system that insist (to this very day - even after switching to Windows 7) to use Novell system log-in instead of the built-in Windows log-in services. It boggles the mind.

The Bit9 intrusion underscores the resourcefulness and persistence of the group. As thorough as that attack was, the hack was a mere detour taken on a longer path in a much more serious campaign. Dubbed VOHO, that campaign targeted US defense contractors. As it turned out, many of the of the VOHO targets used Bit9's application whitelisting service to prevent malware infections.

I don't understand this. What is it with IT and Enterprise services' infatuation with third party services that don't even do as good of a job of functionality that's already provided in an OS like Windows? AppLocker/Software Restriction Policies just have to be activated under Group Policy and in the case of AppLocker you can even require the whitelist to work only with a recognized hash of a current installed executable, or be a bit more permissive and only signed applications.

That last bit may sound like the same kind of security flaw that befell Bit9, but application developers don't all sign the same applications. You could feasibly have it so only Google and Microsoft signed applications are allowed to run, or only Microsoft and Oracle signed applications - or any combination thereof from any developer that signs their executables.

It reminds me of the IT staff at my old school system that insist (to this very day - even after switching to Windows 7) to use Novell system log-in instead of the built-in Windows log-in services. It boggles the mind.

2 reasons: cost and liability.

It can be cheaper for companies (in the short term, at least) to contract this work out to another company rather than hire employees to do the work. That way, you don't have to worry about paying the people doing the work, providing benefits, etc.

It also removes responsibility from the company (and the executive running the department) when something like this happens. They have a finger to point at someone else, rather than themselves for the security breach. That way, the executive who brought the contractors in (keeping payroll costs down) has a scapegoat to ensure he can still keep his job.

I don't understand this. What is it with IT and Enterprise services' infatuation with third party services that don't even do as good of a job of functionality that's already provided in an OS like Windows? AppLocker/Software Restriction Policies just have to be activated under Group Policy and in the case of AppLocker you can even require the whitelist to work only with a recognized hash of a current installed executable, or be a bit more permissive and only signed applications.

The idea is that you push the vetting process and management off onto a third party that you can just write a check to, rather than having your internal folks have to deal with it. For a larger organization that wanted to use SRP and had a large number of applications, the process of approving every single app, and every single update to every single app, and expiring the older versions over time becomes a full time job (or two). For some people, it's easier to just write a check and be done with it.

Same argument for WebSense vs. rolling your own, for any number of permissions-management apps vs. just having a good plan in place that you stick to, etc.

I don't happen to agree with that mentality, but it's not my check to write (or not).

The Bit9 intrusion underscores the resourcefulness and persistence of the group. As thorough as that attack was, the hack was a mere detour taken on a longer path in a much more serious campaign. Dubbed VOHO, that campaign targeted US defense contractors. As it turned out, many of the of the VOHO targets used Bit9's application whitelisting service to prevent malware infections.

I don't understand this. What is it with IT and Enterprise services' infatuation with third party services that don't even do as good of a job of functionality that's already provided in an OS like Windows? AppLocker/Software Restriction Policies just have to be activated under Group Policy and in the case of AppLocker you can even require the whitelist to work only with a recognized hash of a current installed executable, or be a bit more permissive and only signed applications.

That last bit may sound like the same kind of security flaw that befell Bit9, but application developers don't all sign the same applications. You could feasibly have it so only Google and Microsoft signed applications are allowed to run, or only Microsoft and Oracle signed applications - or any combination thereof from any developer that signs their executables.

It reminds me of the IT staff at my old school system that insist (to this very day - even after switching to Windows 7) to use Novell system log-in instead of the built-in Windows log-in services. It boggles the mind.

2 reasons: cost and liability.

It can be cheaper for companies (in the short term, at least) to contract this work out to another company rather than hire employees to do the work. That way, you don't have to worry about paying the people doing the work, providing benefits, etc.

It also removes responsibility from the company (and the executive running the department) when something like this happens. They have a finger to point at someone else, rather than themselves for the security breach. That way, the executive who brought the contractors in (keeping payroll costs down) has a scapegoat to ensure he can still keep his job.

Add a third reason: inability. He used school logins using Novell as an example and that is primarily because they don't know/want to know how to properly setup a network, they want to just pay to have some company do it (though I guess this could be under liability, I wouldn't say that their lack of ability is always liability).

I still don't understand why critical industries like, say, defense, intelligence, high finance and national infrastructure were even allowed to stay plugged in to the 'global' internet anyway. It's almost as if we're leaving the castle gate open with a big old YARD SALE sign in front these days.

I still don't understand why critical industries like, say, defense, intelligence, high finance and national infrastructure were even allowed to stay plugged in to the 'global' internet anyway. It's almost as if we're leaving the castle gate open with a big old YARD SALE sign in front these days.

Not really. There are moats and stuff, which is why not everyone can penetrate the systems. Which is why there are hackers for hire.

I still don't understand why critical industries like, say, defense, intelligence, high finance and national infrastructure were even allowed to stay plugged in to the 'global' internet anyway. It's almost as if we're leaving the castle gate open with a big old YARD SALE sign in front these days.

Probably because the internet is part and parcel of productivity these days and these organizations are into productivity. The internet isn't just for free desktop wallpaper and ring tones.

The reasons to stay connected to the internet are probably close to the reasons for having any kind of network at all. This ain't the Battlestar Gallactica, you know.

I still don't understand why critical industries like, say, defense, intelligence, high finance and national infrastructure were even allowed to stay plugged in to the 'global' internet anyway. It's almost as if we're leaving the castle gate open with a big old YARD SALE sign in front these days.

In an ideal world, any http traffic is forced through a (monitored, hardened, whitelist-configured) proxy, and any non-web traffic is blocked or restricted to the IPs that traffic needs to go to. It can be done securely.

But... people want their Facebook and Gmail at work. If they don't get it, they throw a fit, the higher ups don't want to deal with the fit so they approve it, and the whole thing goes out the window. We use WebSense to block things we don't want our users doing, but it's so full of holes and exceptions to the rules that we may as well just not have it.

It's not the internet or the policies around it that are a problem, it's people that don't want to implement it properly because they don't want to deal with the problems it causes.

The Bit9 intrusion underscores the resourcefulness and persistence of the group. As thorough as that attack was, the hack was a mere detour taken on a longer path in a much more serious campaign. Dubbed VOHO, that campaign targeted US defense contractors. As it turned out, many of the of the VOHO targets used Bit9's application whitelisting service to prevent malware infections.

I don't understand this. What is it with IT and Enterprise services' infatuation with third party services that don't even do as good of a job of functionality that's already provided in an OS like Windows? AppLocker/Software Restriction Policies just have to be activated under Group Policy and in the case of AppLocker you can even require the whitelist to work only with a recognized hash of a current installed executable, or be a bit more permissive and only signed applications.

That last bit may sound like the same kind of security flaw that befell Bit9, but application developers don't all sign the same applications. You could feasibly have it so only Google and Microsoft signed applications are allowed to run, or only Microsoft and Oracle signed applications - or any combination thereof from any developer that signs their executables.

It reminds me of the IT staff at my old school system that insist (to this very day - even after switching to Windows 7) to use Novell system log-in instead of the built-in Windows log-in services. It boggles the mind.

2 reasons: cost and liability.

It can be cheaper for companies (in the short term, at least) to contract this work out to another company rather than hire employees to do the work. That way, you don't have to worry about paying the people doing the work, providing benefits, etc.

It also removes responsibility from the company (and the executive running the department) when something like this happens. They have a finger to point at someone else, rather than themselves for the security breach. That way, the executive who brought the contractors in (keeping payroll costs down) has a scapegoat to ensure he can still keep his job.

That doesn't explain using an entirely separate third party service though. You can always bring in a contractor who simply turns on default OS functionality. Cheaper. And you still have a scapegoat.

I still don't understand why critical industries like, say, defense, intelligence, high finance and national infrastructure were even allowed to stay plugged in to the 'global' internet anyway. It's almost as if we're leaving the castle gate open with a big old YARD SALE sign in front these days.

There was an old joke along these lines..."The safest computer is one not connected to the Internet, which is why I recommend AOL."

I still don't understand why critical industries like, say, defense, intelligence, high finance and national infrastructure were even allowed to stay plugged in to the 'global' internet anyway. It's almost as if we're leaving the castle gate open with a big old YARD SALE sign in front these days.

There was an old joke along these lines..."The safest computer is one not connected to the Internet, which is why I recommend AOL."

Didn't the Iranian industrial hacks sort-of disprove this?

By flooding an environment with a malware, someone's going to put it on an isolated computer somehow.

The next step is removing all IO from a computer, but then you might as well not have the computer...

This is exactly why we should all be terrified of the gigantic databases held by the NSA, Google, and many other government and commercial enterprises. Is there any reason to think some agencies and companies are more bulletproof than others? It doesn't appear that way from the long list of exploits we're aware of so far.

Even assuming these databases are held only for security or innocuous commercial purposes, does anyone doubt that they're just as vulnerable as the 100 organizations referenced in this article?

I am curious about the investigative group's conclusion that these hackers are essentially "guns for hire". If that was the case, then confirming for sure they were merely cyber mercenaries would entail no more than hiring them to do a job, and that couldn't be impossible, considering the scale of the break-ins they've perpetrated.

Wouldn't it be much more likely to believe they're state-controlled actors instead (in this case, chinese government, rather obviously), rather than acting on their own, seeing the level of coordination and resources they display?

We use WebSense to block things we don't want our users doing, but it's so full of holes and exceptions to the rules that we may as well just not have it.

WebSense is appallingly stupid software. It blocks the most obviously valid sites (major daily newspapers, etc.) and generally does everything possible to achieve the most spectacular flunking score on the Turing test imaginable. Not having it would be an incredibly good idea. And there's a lot to be said for simply trusting the members of your own organization (you know, that whole "presumed innocent" theme the Founding Fathers gave us! Using Internet filters is like keeping all your employees inside an electronic prison).

I still don't understand why critical industries like, say, defense, intelligence, high finance and national infrastructure were even allowed to stay plugged in to the 'global' internet anyway. It's almost as if we're leaving the castle gate open with a big old YARD SALE sign in front these days.

Probably because the internet is part and parcel of productivity these days and these organizations are into productivity. The internet isn't just for free desktop wallpaper and ring tones.

The reasons to stay connected to the internet are probably close to the reasons for having any kind of network at all. This ain't the Battlestar Gallactica, you know.

I still don't understand why critical industries like, say, defense, intelligence, high finance and national infrastructure were even allowed to stay plugged in to the 'global' internet anyway. It's almost as if we're leaving the castle gate open with a big old YARD SALE sign in front these days.

Probably because the internet is part and parcel of productivity these days and these organizations are into productivity. The internet isn't just for free desktop wallpaper and ring tones.

The reasons to stay connected to the internet are probably close to the reasons for having any kind of network at all. This ain't the Battlestar Gallactica, you know.

Network doesn't always imply Internet.

In terms of cyber-security, the weakest link in the chain is always the one that's targeted, whether it's a wireless network access point, an underground network cable stretching a mile and a half in length, a truck carrying solid state drives halfway across the country, or even the integrity a worker who was distributed enough 1-time encryption pads to spend a lifetime watching cat videos on YouTube, the network can still be hacked. Taking it off the internet just adds to the physical logistics of hacking the system.

I still don't understand why critical industries like, say, defense, intelligence, high finance and national infrastructure were even allowed to stay plugged in to the 'global' internet anyway. It's almost as if we're leaving the castle gate open with a big old YARD SALE sign in front these days.

There was an old joke along these lines..."The safest computer is one not connected to the Internet, which is why I recommend AOL."

Didn't the Iranian industrial hacks sort-of disprove this?

By flooding an environment with a malware, someone's going to put it on an isolated computer somehow.

The next step is removing all IO from a computer, but then you might as well not have the computer...

Welcome to the world of Defence where mission critical systems have no working USB ports (PS/2 keyboards and mice), no CD drives and no connection outside the Restricted network they sit on.

That's how it used to work at least, until some financial genius decided that instead of having a separate network for Unclass/External work, they would embed an Internet portal into the restricted system to save money on extra desktop computers.

What draws skilled individuals to this kind of work? I'm sure this nets them a good income but a skilled person in any large software corp. will make great income, why go into something illegal?

Not everyone is obsessed with making more money than they need.For me the reasons would be:the challenges, it's fun, working from home, working your own hours, being your own boss and most importantly for me would be the family time. If I didn't want to work today and instead wanted to stay home with my kid I could (yesterday my kid begged me to stay home and that REALLY sucks) If my family wanted to go on vacation I could still work from the hotel. It is apart from the illegality the perfect job, and even though its illegal if I could do it I would be. My family is the most important thing in the world and will always come first. Next week I'm going to ask my boss to give me Mondays off and if he refuses (unlikely) I will quit. I can do this because I have enough money to live quite comfortably and I am not obsessed with making more than I need.

Anyone want to bet that Lynx is either condoned, affiliated, or actually run by the cyberwarfare arm of the PLA or another PRC state apparatus? Seems like a convenient way to perform riskier or more crassly commercial attacks with some degree of deniability.

What draws skilled individuals to this kind of work? I'm sure this nets them a good income but a skilled person in any large software corp. will make great income, why go into something illegal?

I don't really know what actually prompted the first Cap'tn Crunch whistle to be used as a phreaking device buit if I know one thing about human nature, it's its insatiable thirst for the unknown. And greed.

Add to this the fact that some foreigners will never ever be considered for positions within the Fortune 500 companies, if only because of the language barrier.

Anyone want to bet that Lynx is either condoned, affiliated, or actually run by the cyberwarfare arm of the PLA or another PRC state apparatus? Seems like a convenient way to perform riskier or more crassly commercial attacks with some degree of deniability.

If NSA can do it's thing why would Chinese equivalent have to hide behind some weird names? They have nukes and even more important control over dollar so like they give a fuck if US throws a fit. Nobody cares if you spy on Europeans since our politicians are so used to licking assholes that they instinctively do it no matter who it is.

Rest of the world doesn't matter in any way so who cares.

It's far more likely that it really is commercial operation as most countries don't have the NSA leaks to US businesses type of approach to government spying. Since you can't get info from the government against your competitors you need to get it elsewhere. Their targets seem to be heavily on the military side and that kind of business has never been especially ethical.

Given what we think we know of 'official' PLA/Politburo-approved cracking, it seems to me unlikely that Lynx could operate as freelancers without at least tacit laissex-faire official notice. I don't see where that many people could be operating so long, so directly, and so successfully without be seen.

Maybe, though, if they're so good, they're also good at covering themselves. Either way, it's a sweet deal for the people of Lynx; official sanction or not, they get to do what they like, presumably make a decent living at it, and are only at risk of law enforcement and the like if a few were to be sacrificed for show of good intentions on the part of officialdom.

As suggested the test would be to hire them, which might carry its own risks. For example, Iran or Belarus might hire Lynx; the former has already had a taste of the cyber lash, the latter could perhaps expect little more than a tut-tut and slap on the wrist. A covert portion of a TLA or equivalent in the US, UK, or Israel could do so also with varying but probably minor backlash if found out - I don't see a round of Church Committee hearings in the offing, it might raise a bit of stink in UK, and of Israel it might be thought to be in character - it wouldn't change their poll numbers [grin]. Another possibility would be if a large multi-national contracted with them - if they're big enough and important enough (rather a given, actually) then if discovered it would be business as usual.

Interesting story at any rate. I haven't read the pdf yet, so I'm just going by the article here at Ars.

If NSA can do it's thing why would Chinese equivalent have to hide behind some weird names? They have nukes and even more important control over dollar so like they give a fuck if US throws a fit. Nobody cares if you spy on Europeans since our politicians are so used to licking assholes that they instinctively do it no matter who it is.

Rest of the world doesn't matter in any way so who cares.

It's far more likely that it really is commercial operation as most countries don't have the NSA leaks to US businesses type of approach to government spying. Since you can't get info from the government against your competitors you need to get it elsewhere. Their targets seem to be heavily on the military side and that kind of business has never been especially ethical.

With the commercial espionage side, they would be stealing from companies that they are also actively doing business with. It would make for a smoother business relationship if they don't get caught red-handed pilfering from their partners.

Yes, but are they more elite than Chet Uber? Also, someone should let these absolutely terrifying hacker crews know that the government has black helicopters/drones with missiles and does not like competition?

And where's Guccifer anyways? Guccifer is even more terrifying than Omar Little.

I still don't understand why critical industries like, say, defense, intelligence, high finance and national infrastructure were even allowed to stay plugged in to the 'global' internet anyway. It's almost as if we're leaving the castle gate open with a big old YARD SALE sign in front these days.

There was an old joke along these lines..."The safest computer is one not connected to the Internet, which is why I recommend AOL."

Didn't the Iranian industrial hacks sort-of disprove this?

By flooding an environment with a malware, someone's going to put it on an isolated computer somehow.

The next step is removing all IO from a computer, but then you might as well not have the computer...

He said safest not 100% secure. And further on your example those computers were infected by USB's iirc which were also inserted into non air gapped systems. Essentially meaning the non networked systems were in fact networked by way of walking usbs around.

A properly air gapped computer is still far more secure than anything else.

If NSA can do it's thing why would Chinese equivalent have to hide behind some weird names? They have nukes and even more important control over dollar so like they give a fuck if US throws a fit. Nobody cares if you spy on Europeans since our politicians are so used to licking assholes that they instinctively do it no matter who it is.

Rest of the world doesn't matter in any way so who cares.

It's far more likely that it really is commercial operation as most countries don't have the NSA leaks to US businesses type of approach to government spying. Since you can't get info from the government against your competitors you need to get it elsewhere. Their targets seem to be heavily on the military side and that kind of business has never been especially ethical.

With the commercial espionage side, they would be stealing from companies that they are also actively doing business with. It would make for a smoother business relationship if they don't get caught red-handed pilfering from their partners.

We use WebSense to block things we don't want our users doing, but it's so full of holes and exceptions to the rules that we may as well just not have it.

WebSense is appallingly stupid software. It blocks the most obviously valid sites (major daily newspapers, etc.) and generally does everything possible to achieve the most spectacular flunking score on the Turing test imaginable. Not having it would be an incredibly good idea.

I absolutely agree, but I'm not the one that makes those decisions.

Going back to the original point: the reason WebSense was chosen (vs. some other option like rolling our own) is that the appliances pull updates on a regular basis, and we don't have to handle those updates. If someone invents something to replace Facebook, it'll get thrown into the "Social Networks" category. If we block Social Networks, we've blocked that site as soon as the appliances pull down the update. Easy.

And there's a lot to be said for simply trusting the members of your own organization (you know, that whole "presumed innocent" theme the Founding Fathers gave us! Using Internet filters is like keeping all your employees inside an electronic prison).

Except that the inmates asked to come to our electronic prison, we pay them to show up and stamp the license plates, and they can stop coming to the prison if they don't like the conditions. Other than that, exactly the same.

We don't pay (the majority of) our users to browse the web, we pay them to stamp license plates. We give them the tools to stamp license plates as efficiently as possible, but we don't give them the tools to make sandwiches, cut down trees, or check Facebook, because that's not why they're there.

In your example, (most of) our users have no reason to browse legitimate newspaper sites, because their job in no way involves reading newspapers. People like HR may have access to newspaper sites because they need to look at classified ads and things, marketing may have access to Facebook to post whatever they post, but the guy in the trenches needs the internet about as much as I need a chainsaw.